Help with getting Unbound to use DoH (DNS over HTTPS)

Ronald_Nutter · February 22, 2021, 4:36pm

I have been using Unbound with DoT but would like to see about moving over to HTTPS. Have been looking for how to do this but what I have found so far doesnt give me the information I am looking for. I have some experience with Linux but am no where near being a programmer.

Here is what I have found so far -

Since I installed using apt, figure that I should uninstall it first

sudo apt remove unbound

Download/compile unbound to use DoH

wget http://www.nlnetlabs.nl/downloads/unbound/unbound-1.13.1.tar.gz
tar -zxvf unbound-1.13.1.tar.gz (missing step?)
./configure --with-libnghttp2
make
make install

#configuring unbound to use DoH
server:
interface: 127.0.0.1@443
tls-service-key “key.pem”
tls-service-pem: “cert.pem”

Adapted from TLS/DoT instructions, so not sure about this

forward-zone:
name: “.”
forward-tls-upstream: yes

Cloudflare DNS

forward-addr: 2606:4700:4700::1111@443#cloudflare-dns.com
forward-addr: 1.1.1.1@443#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@443#cloudflare-dns.com
forward-addr: 1.0.0.1@443#cloudflare-dns.com

Is this correct ?
Would appreciate any pointers in helping get this to work

Thanks,
Ron

Hendrik_Meyburgh · February 22, 2021, 6:42pm

Hi.

Try adding the --with-ssl compile option. You can then run unbound with -d and -v
for debug information during startup and will give you more info why it is not
working.

Ronald_Nutter · February 22, 2021, 6:51pm

Henrik:

Thanks for your response.
My question is will the steps I outline work in getting this running?
I have looked for the steps to do this on Unbounds FAQ and other areas and havent found anything.

Ron

A_Schulze · February 22, 2021, 7:43pm

#configuring unbound to use DoH
server:
interface: 127.0.0.1@443
tls-service-key "key.pem"
tls-service-pem: "cert.pem"

No, unbound don't magically "use" DoH with this configuration.
This set up a DoH **server**. As you selected 127.0.0.1, it will be reachable only from DoH clients running on localhost.
It's not what you want ...

# Adapted from TLS/DoT instructions, so not sure about this
forward-zone:
name: "."
forward-tls-upstream: yes

note the "-tls-" It enable unbound acting as DoT client

\# Cloudflare DNS
forward\-addr: 2606:4700:4700::1111@443\#cloudflare\-dns\.com
forward\-addr: 1\.1\.1\.1@443\#cloudflare\-dns\.com
forward\-addr: 2606:4700:4700::1001@443\#cloudflare\-dns\.com
forward\-addr: 1\.0\.0\.1@443\#cloudflare\-dns\.com

you've configured unbound to talk TLS with a DoH Server

Is this correct ?

no

Would appreciate any pointers in helping get this to work

I'm not aware, unbound (up to 13.1) can act as DoH client

Stay with DoT to CF for now.

Andreas

Ronald_Nutter · February 22, 2021, 9:13pm

Andreas:

Thanks for your response.
Need to explain about the 127.0.0.1.
I am running this on a raspberry pi along with PiHole. Pihole answered the initial inquiry and forwards to Unbound if it doesnt have the info.
From what I had read, I thought that I could configure Unbound to talk DoH to upstream DNS.
Looks like it isnt an option at this point.

Ron

LuMiWa · February 22, 2021, 10:39pm

https://calomel.org/

You will find a help on the above site.